On Thu, May 3, 2012 at 02:05:49PM -0500, Jaime Casanova wrote:
> On Wed, May 2, 2012 at 12:09 PM, Robert Haas <robertmhaas@gmail.com> wrote:
> > On Tue, Apr 24, 2012 at 2:55 AM, Jaime Casanova <jaime@2ndquadrant.com> wrote:
> >> On Tue, Dec 13, 2011 at 11:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> >>>
> >>> I think it might be sane to emit a WARNING suggesting that CREATEUSER
> >>> might not mean what you think, but failing is probably not good.
> >>>
> >>
> >> are we going to do this in this release?
> >> i never was able to think in a good phrasing for this, though
> >
> > I actually think we should just leave this alone. There is a
> > limitless number of things that someone could potentially be confused
> > by if they fail to read the documentation, and we can't warn about all
> > of them.
> >
>
> maybe is not very helpful, but it can't hurt... hey! it can save you
> because you maybe used CREATEUSER with the intention of CREATEROLE,
> and ended up with a user with restricted privileges that is actually a
> SUPERUSER... that's bad and is a POLA violation.
>
> is worse because we are the ones causing the confusion consider the syntax:
> CREATE USER = CREATE ROLE
> IN GROUP = IN ROLE
> USER = ROLE
>
> CREATEUSER != CREATEROLE
> CREATEUSER = SUPERUSER
I looked at this and can't see a way to make CREATEUSER != CREATEROLE
clearer:
The only difference is that when the command is spelled CREATE USER,
LOGIN is assumed by default, whereas NOLOGIN is assumed when the
command is spelled CREATE ROLE.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
